[PATCH] libsemanage: sync filesystem with sandbox

[PATCH] libsemanage: sync filesystem with sandbox

[Petr Lautrbach]

Commit 331a109f91ea ("libsemanage: fsync final files before rename")
added fsync() for policy files and improved situation when something
unexpected happens right after rename(). However the module store could
be affected as well. After the following steps module files could be 0
size:

1. Run `semanage fcontext -a -t var_t "/tmp/abc"`
2. Force shutdown the server during the command is run, or right after
   it's finished
3. Boot the system and look for empty files:
    # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l
    1266

It looks like this situation can be avoided it the filesystem with the
store is sync()ed before rename()

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libsemanage/src/semanage_store.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index cd5e46bb2401..632375a30925 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1764,6 +1764,21 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
 	/* clean up some files from the sandbox before install */
 	/* remove homedir_template from sandbox */
 
+	/* sync filesystem with sandbox first */
+	fd = open(sandbox, O_DIRECTORY);
+	if (fd == -1) {
+		ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
+		retval = -1;
+		goto cleanup;
+	}
+	if (syncfs(fd) == -1) {
+		ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
+		close(fd);
+		retval = -1;
+		goto cleanup;
+	}
+    close(fd);
+
 	if (rename(sandbox, active) == -1) {
 		ERR(sh, "Error while renaming %s to %s.", sandbox, active);
 		/* note that if an error occurs during the next
-- 
2.30.0

[PATCH v2] libsemanage: sync filesystem with sandbox

[Petr Lautrbach]

Commit 331a109f91ea ("libsemanage: fsync final files before rename")
added fsync() for policy files and improved situation when something
unexpected happens right after rename(). However the module store could
be affected as well. After the following steps module files could be 0
size:

1. Run `semanage fcontext -a -t var_t "/tmp/abc"`
2. Force shutdown the server during the command is run, or right after
   it's finished
3. Boot the system and look for empty files:
    # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l
    1266

It looks like this situation can be avoided it the filesystem with the
store is sync()ed before rename()

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---

- fixed close(fd) indentation

 libsemanage/src/semanage_store.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index cd5e46bb2401..9a81be54db60 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1764,6 +1764,21 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
 	/* clean up some files from the sandbox before install */
 	/* remove homedir_template from sandbox */
 
+	/* sync filesystem with sandbox first */
+	fd = open(sandbox, O_DIRECTORY);
+	if (fd == -1) {
+		ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
+		retval = -1;
+		goto cleanup;
+	}
+	if (syncfs(fd) == -1) {
+		ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
+		close(fd);
+		retval = -1;
+		goto cleanup;
+	}
+	close(fd);
+
 	if (rename(sandbox, active) == -1) {
 		ERR(sh, "Error while renaming %s to %s.", sandbox, active);
 		/* note that if an error occurs during the next
-- 
2.30.0

Re: [PATCH v2] libsemanage: sync filesystem with sandbox

[Nicolas Iooss]

On Thu, Jan 28, 2021 at 11:44 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> Commit 331a109f91ea ("libsemanage: fsync final files before rename")
> added fsync() for policy files and improved situation when something
> unexpected happens right after rename(). However the module store could
> be affected as well. After the following steps module files could be 0
> size:
>
> 1. Run `semanage fcontext -a -t var_t "/tmp/abc"`
> 2. Force shutdown the server during the command is run, or right after
>    it's finished
> 3. Boot the system and look for empty files:
>     # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l
>     1266
>
> It looks like this situation can be avoided it the filesystem with the
> store is sync()ed before rename()
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>
> - fixed close(fd) indentation
>
>  libsemanage/src/semanage_store.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
> index cd5e46bb2401..9a81be54db60 100644
> --- a/libsemanage/src/semanage_store.c
> +++ b/libsemanage/src/semanage_store.c
> @@ -1764,6 +1764,21 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
>         /* clean up some files from the sandbox before install */
>         /* remove homedir_template from sandbox */
>
> +       /* sync filesystem with sandbox first */
> +       fd = open(sandbox, O_DIRECTORY);
> +       if (fd == -1) {
> +               ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
> +               retval = -1;
> +               goto cleanup;
> +       }
> +       if (syncfs(fd) == -1) {
> +               ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
> +               close(fd);
> +               retval = -1;
> +               goto cleanup;
> +       }
> +       close(fd);
> +
>         if (rename(sandbox, active) == -1) {
>                 ERR(sh, "Error while renaming %s to %s.", sandbox, active);
>                 /* note that if an error occurs during the next
> --
> 2.30.0
>
Hello,

The sync logic seems to be fine, but why does it happen between
rename(active, backup) and rename(sandbox, active)? It feels more
logical to me if the syncing (which could take time) was done before
the rename dance (so before rename(active, backup)). Nevertheless I
could be missing something to understand your choice. If it is so, a
comment about why syncfs() is done after rename(active, backup) would
be very useful.

Cheers,
Nicolas

Re: [PATCH v2] libsemanage: sync filesystem with sandbox

[Petr Lautrbach]

Nicolas Iooss <nicolas.iooss@m4x.org> writes:

> On Thu, Jan 28, 2021 at 11:44 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>>
>> Commit 331a109f91ea ("libsemanage: fsync final files before rename")
>> added fsync() for policy files and improved situation when something
>> unexpected happens right after rename(). However the module store could
>> be affected as well. After the following steps module files could be 0
>> size:
>>
>> 1. Run `semanage fcontext -a -t var_t "/tmp/abc"`
>> 2. Force shutdown the server during the command is run, or right after
>>    it's finished
>> 3. Boot the system and look for empty files:
>>     # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l
>>     1266
>>
>> It looks like this situation can be avoided it the filesystem with the
>> store is sync()ed before rename()
>>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>>
>> - fixed close(fd) indentation
>>
>>  libsemanage/src/semanage_store.c | 15 +++++++++++++++
>>  1 file changed, 15 insertions(+)
>>
>> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
>> index cd5e46bb2401..9a81be54db60 100644
>> --- a/libsemanage/src/semanage_store.c
>> +++ b/libsemanage/src/semanage_store.c
>> @@ -1764,6 +1764,21 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
>>         /* clean up some files from the sandbox before install */
>>         /* remove homedir_template from sandbox */
>>
>> +       /* sync filesystem with sandbox first */
>> +       fd = open(sandbox, O_DIRECTORY);
>> +       if (fd == -1) {
>> +               ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
>> +               retval = -1;
>> +               goto cleanup;
>> +       }
>> +       if (syncfs(fd) == -1) {
>> +               ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
>> +               close(fd);
>> +               retval = -1;
>> +               goto cleanup;
>> +       }
>> +       close(fd);
>> +
>>         if (rename(sandbox, active) == -1) {
>>                 ERR(sh, "Error while renaming %s to %s.", sandbox, active);
>>                 /* note that if an error occurs during the next
>> --
>> 2.30.0
>>
> Hello,
>
> The sync logic seems to be fine, but why does it happen between
> rename(active, backup) and rename(sandbox, active)? It feels more
> logical to me if the syncing (which could take time) was done before
> the rename dance (so before rename(active, backup)). Nevertheless I
> could be missing something to understand your choice. If it is so, a
> comment about why syncfs() is done after rename(active, backup) would
> be very useful.
>

My original idea was to do syncfs(sandbox) just before sandbox is
renamed to active. But you are right that it should happen before
rename(active, backup) as if syncfs() failed there would be no active
anymore. I'll send another patch.


Thanks!

Petr